Update id/auth dependency

6d3a620e · ale · 45c4f032 · 6d3a620e · 6d3a620e · 6d3a620e
Commit 6d3a620e authored Oct 24, 2019 by ale
4 changed files
--- a/vendor/git.autistici.org/id/auth/README.md
+++ b/vendor/git.autistici.org/id/auth/README.md
@@ -121,7 +121,29 @@ should specify the following attributes:
  only be applied to failed authentication requests
 * `keys` is a list of strings specifying the request identifiers that
  will make up the rate limiter key. The list can include one or both
-  of *ip* (referring to the remote client's IP) and *user* (username)
+  of *ip* (referring to the remote client's IP) and *user* (username).
+* `bypass` is a list of criteria that will cause the request to skip
+  the enforcement of this ratelimit/blacklist. Criteria are objects
+  with `key` (one of *ip* or *user*) and *value* attributes, which
+  specify an exact equality match.
+
+The following is an example of an IP-based ratelimit with blacklist
+period of 1 hour, that will allow an arbitrary amount of requests from
+localhost:
+
+```yaml
+rate_limits:
+  blacklist_10qps_1h:
+    limit: 100
+    period: 10
+    blacklist_for: 3600
+    keys: [ip]
+    bypass:
+      - key: ip
+        value: "127.0.0.1"
+      - key: ip
+        value: "::1"
+```

 ## Service definition

@@ -160,8 +182,10 @@ user, with the following attributes:

 * `name` is the username
 * `email` is the email associated with the user (optional)
-* `password` stores the encrypted password
+* `password` stores the encrypted password, see *Password Encoding*
+  below for details on the supported algorithms etc.
 * `totp_secret` stores the *unencrypted* TOTP secret seed
+  (base32-encoded)
 * `u2f_registrations` is a list of U2F registrations with `key_handle`
  and `public_key` attributes, in the format used by *pamu2fcfg* (for
  convenience)
@@ -209,8 +233,10 @@ LDAP attributes). The following attribute names are defined:

 * `password` contains the encrypted password. Since this attribute is
  often also used for authentication of the LDAP protocol itself, an
-  eventual `{crypt}` prefix is ignored. Passwords should be encrypted.
-* `otp_secret` should contain the hex-encoded TOTP secret
+  eventual `{crypt}` prefix is ignored. Passwords should be encrypted,
+  see *Password Encoding* below for details on the supported
+  algorithms etc.
+* `otp_secret` should contain the base32-encoded TOTP secret
 * `app_specific_password` (possibly repeated) contains an encrypted
  app-specific password

@@ -409,3 +435,28 @@ Responses will contain the following attributes:
  * `email`: email of this user
  * `groups`: groups the user is a member of.

+### Password encoding
+
+Multiple password hashing algorithms are supported. The format is the
+well-known dollar-separated field string, extended with optional
+algorithm-specific parameters:
+
+```
+$id[$params...]$salt$encrypted
+```
+
+where the optional *params* field is itself a dollar-separated list of
+integers.
+
+All *id* values understood by the libc *crypt(3)* function are
+supported, as well as a few more custom algorithms:
+
+* Scrypt (id `$s$`), in which case the parameters are *N*, *R* and
+  *P*.
+
+* Argon2 (id `$a2$`), with parameters *time*, *memory* and
+  *threads*.
+
+Check the documentation for these algorithms for an explanation of the
+meaning of the parameters. Each algorithm has different requirements
+for the salt.
--- a/vendor/git.autistici.org/id/auth/client/client.go
+++ b/vendor/git.autistici.org/id/auth/client/client.go
@@ -2,8 +2,11 @@ package client

 import (
 	"context"
+	"net"
 	"net/textproto"

+	"github.com/cenkalti/backoff"
+
 	"git.autistici.org/id/auth"
 )

@@ -26,6 +29,23 @@ func New(socketPath string) Client {
 }

 func (c *socketClient) Authenticate(ctx context.Context, req *auth.Request) (*auth.Response, error) {
+	// Retry the request, with backoff, if we get a temporary
+	// network error.
+	var resp *auth.Response
+	err := backoff.Retry(func() error {
+		var err error
+		resp, err = c.doAuthenticate(ctx, req)
+		if err == nil {
+			return nil
+		} else if netErr, ok := err.(net.Error); ok && netErr.Temporary() {
+			return netErr
+		}
+		return backoff.Permanent(err)
+	}, backoff.WithContext(backoff.NewExponentialBackOff(), ctx))
+	return resp, err
+}
+
+func (c *socketClient) doAuthenticate(ctx context.Context, req *auth.Request) (*auth.Response, error) {
 	// Create the connection outside of the timed goroutine, so
 	// that we can call Close() on exit regardless of the reason:
 	// this way, when a timeout occurs or the context is canceled,

--- a/vendor/git.autistici.org/id/auth/codec.go
+++ b/vendor/git.autistici.org/id/auth/codec.go
@@ -148,7 +148,7 @@ func (i *inputScanner) parseQuotedString() (string, error) {
 }

 func (i *inputScanner) parseBase64String() (string, error) {
-	data := i.parseUntilOrEOF(' ')
+	data := bytes.TrimRight(i.parseUntilOrEOF(' '), "=")
 	out := make([]byte, base64.RawURLEncoding.DecodedLen(len(data)))
 	_, err := base64.RawURLEncoding.Decode(out, data)
 	if err != nil {

--- a/vendor/vendor.json
+++ b/vendor/vendor.json
@@ -27,16 +27,16 @@
 			"revisionTime": "2019-06-30T08:30:15Z"
 		},
 		{
-			"checksumSHA1": "T9WPwUls+LPk89st6TGCbQf5HNQ=",
+			"checksumSHA1": "5WLGZjUV9Ly/rMdQwo9j8FJSlQA=",
 			"path": "git.autistici.org/id/auth",
-			"revision": "5f6c4202ceac71349b414ab65b94f8e0f191c208",
-			"revisionTime": "2019-05-24T11:03:32Z"
+			"revision": "ffc5d8791fd81d28fb2b0bce4540a10426a25124",
+			"revisionTime": "2019-10-24T15:02:31Z"
 		},
 		{
-			"checksumSHA1": "Xd+uslNbKnbygNAhwAWQ2JVc6do=",
+			"checksumSHA1": "3xM1BQ7kVyqn74GQz07uCBSNh2E=",
 			"path": "git.autistici.org/id/auth/client",
-			"revision": "5f6c4202ceac71349b414ab65b94f8e0f191c208",
-			"revisionTime": "2019-05-24T11:03:32Z"
+			"revision": "ffc5d8791fd81d28fb2b0bce4540a10426a25124",
+			"revisionTime": "2019-10-24T15:02:31Z"
 		},
 		{
 			"checksumSHA1": "MlpsZgRytv/c9IX9YawRJDN/ibQ=",